While Microsoft officially deprecated running Exchange on domain controllers since Exchange 2013 (KB 2989242), many small businesses still operate this configuration. For organizations with ≤25 users, the technical reality differs from vendor recommendations.

# Example PowerShell to check current AD + Exchange resource usage:
Get-Counter '\Process(*)\% Processor Time' | 
  Where-Object {$_.InstanceName -match 'MSExchange|NTDS|LSASS'} | 
  Sort-Object -Property CookedValue -Descending | 
  Select-Object -First 5

1. Security Exposure: Exchange servers require frequent internet-facing ports (25,443,587), while domain controllers should never be directly exposed. The attack surface expands exponentially when combining roles.

2. Performance Contention: Both services compete for:

• LSASS process memory (authentication)
• Disk I/O for transaction logs
• Network bandwidth for replication

For environments where separation isn't feasible:

# Exchange 2016 Throttling Adjustments for Shared DC:
Set-ThrottlingPolicy -Identity DefaultThrottlingPolicy 
  -RCAMaxConcurrency 20 
  -EwsMaxConcurrency 15 
  -CPUStartPercent 75 
  -CPUSampleInterval 00:01:00

Network Isolation: Implement these firewall rules at minimum:

New-NetFirewallRule -DisplayName "Exchange-HTTPs" -Direction Inbound 
  -Protocol TCP -LocalPort 443 -Action Allow -Profile Any

New-NetFirewallRule -DisplayName "DC-Isolation" -Direction Inbound 
  -Protocol TCP -LocalPort 389,636,88,445 -Action Allow -RemoteAddress (Get-ADDomainController).IPv4Address

Create a custom perfmon collector for these counters:

# Exchange-AD Combined Monitoring Counters
$counters = @(
  "\Memory\Available MBytes",
  "\Process(lsass)\% Processor Time",
  "\LogicalDisk(C:)\Avg. Disk sec/Write",
  "\MSExchange ADAccess Domain Controllers(*)\LDAP Read Time",
  "\NTDS\DS Threads in Use"
)

Consider migration if observing:

• LSASS memory leaks > 1GB sustained
• DIT database growth beyond 15GB
• More than 2 Exchange CVEs per quarter requiring patching

For extreme budget constraints, Exchange Online Plan 1 ($4/user) often proves cheaper than maintaining on-premises hardware.

While Microsoft officially deprecated this configuration since Exchange 2013, many small businesses continue running Exchange 2016 on Windows Server 2012 R2 domain controllers. Let's examine this through an engineer's lens.

# Sample PowerShell to check resource contention
Get-Counter '\Process(*)\% Processor Time' | 
    Where-Object {$_.InstanceName -match 'MSExchange' -or $_.InstanceName -match 'NTDS'}

The two most critical technical issues:

• Schema Collisions: Exchange extends AD schema with thousands of new attributes. A failed schema update could cripple both services.
• Resource Starvation: Both services compete for:
  • LSASS process memory (security subsystem)
  • I/O bandwidth for NTDS.dit and Exchange databases

For environments where separation isn't feasible:

# Exchange throttling adjustments
Set-ThrottlingPolicy -Identity DefaultThrottlingPolicy 
    -RCAMaxConcurrency 15 
    -EwsMaxConcurrency 10 
    -CPUStartPercent 75

Essential configuration tweaks:

• Implement strict memory quotas using Windows System Resource Manager (WSRM)
• Place Exchange databases on separate physical disks from NTDS.dit
• Disable unused Exchange features (UM, Edge Transport) via PowerShell:

  Disable-WindowsOptionalFeature -Online -FeatureName Exchange-UM-Cmdlets
  

For the single-VM scenario you mentioned:

# Hyper-V dynamic memory configuration for the combined VM
Set-VM -Name "EXCH-DC01" -DynamicMemory -MaximumBytes 12GB -MinimumBytes 4GB -StartupBytes 8GB

Critical performance counters to monitor:

Essential PowerShell for backup isolation:

# Exchange-aware VSS backup excluding NTDS
$exclude = @("C:\Windows\NTDS","C:\Windows\SYSVOL")
New-WBPolicy | Add-WBVolume -VolumePath "C:" | 
    Add-WBSystemState | Set-WBVSSBackupOptions -VSSFullBackup |
    Set-WBPolicy -Force

Key recovery planning points:

• Maintain separate recovery passwords for DSRM and Exchange
• Test restore of AD objects without Exchange dependencies
• Document service account dependencies between components